Managing Third Parties: Identifying and Mitigating Anti-Bribery and Corruption Risks

BLOG 3 MINS October 7, 2020
Managing Third Parties: Identifying and Mitigating Anti-Bribery and Corruption Risks

In this increasingly digital world, it’s hard for a company to get away with a typo let alone a major issue such as bribery or corruption. And yet, these shady practices still happen quite often behind closed doors, and most of the time, they’re even brought on by third-party organizations.

In fact, more than 90% of all FCPA enforcement actions over the last 40 years have been linked to the misconduct of third parties. And when action is taken, the companies involved face damaging reputational issues and lengthy, expensive legal battles.

Cutting ties with all third parties isn’t a viable option. But how are you supposed to know what your third party partners are up to? Surely if there was a way to avoid putting your organization at risk for bribery and corruption, you would mitigate that risk in a heartbeat.

Luckily for you, there are multiple ways to avoid such damages. Here’s the 10-step framework for mitigating third-party anti-bribery and corruption risks.

1.    Establish a culture of governance and commitment to integrity

Third-party anti-bribery management can only be effective if it’s embedded in your company’s culture. This culture needs to be established on the premise of values, integrity, and governance.

Companies that lack an executive stake in third-party management are more susceptible to risk. It’s important for senior leadership not only to be fully aware of relevant legislation, sanctions, and associated risks, but also to ensure the investment is made into the resources needed to develop a third-party anti-bribery and corruption monitoring program.

2.    Develop an integrated approach for managing third parties

Managing third-party relationships is complex and involves the participation of many different functions across your organization. Misaligned processes only increase your exposure to bribery risk.

For that reason, it’s crucial your organization ensures the anti-bribery and corruption program is deployed with a clear and conscious playbook across the entire company.

3.    Build a trustworthy relationship with your third parties

Misaligned objectives and communication gaps between your organization are a way to increase your bribery risk. If your stance about corporate integrity isn’t communicated upfront, your anti-bribery program will fall victim to poor training, contractual provisions, and other controls.

To avoid this, your organization can have employees and third parties agree about common goals and strive together to uphold the corporate standards of integrity.

4.    Know who all your third parties are

Get a clear idea of your third-party relationships. Identify and register all your third parties and collect, analyze, and store relevant information about them – including their ownership, how they operate, their integrity and anti-corruption standards, and any significant bribery and corruption risks.

Keep in mind third parties can be any of the following:

  • Vendors or suppliers
  • Distributors or resellers
  • Joint venture partner
  • Advisors or consultants
  • Service providers
  • Contractors or subcontractors
  • Lobbyists
  • Marketing and sales agents
  • Customs or visa agents
  • Other intermediaries

5.    Use risk assessment processes for addressing third-party risk

There’s no “one-size-fits-all” approach to third-party bribery risk management. The risk assessment process is used to identify, segment, mitigate, and monitor the risk and risk factors attached to your third-party partners. This information is used to design the criteria in due diligence and continue expanding upon the foundation of your anti-bribery program.

There are six key steps of an anti-bribery risk assessment:

  1. Plan, scope, and mobilize.
  2. Gather information about typical third-party risks.
  3. Identify general risk factors.
  4. Assign risk categories to types of third parties and other risk rating criteria.
  5. Define the process for mitigating identified third-party risks.

There are a variety of well-known risk assessments from which your organization can choose. Give one a shot and keep in mind this process should be repeated periodically.

6.    Develop a selective approach when engaging third parties

Bribery risk can develop from third parties being engaged through incomplete processes, preventing your company from being able to apply efficient controls due to silos and unreliable standards. Risks include company policies being undermined by local work-arounds or deliberate falsification of third-party documentation.

To dodge these risks, your organization should be selective in choosing vendors. Develop a standard operating procedure to be followed in advance of entering into any future business relationships. This SOP should include:

  • Steps for employees to follow when engaging third parties
  • A definition of third parties and other relevant terminology
  • Relevant examples of third parties
  • An onboarding process
  • Guidance about the responsibilities of each department
  • Information about monitoring requirements

7.    Carry out an appropriate level of pre-engagement due diligence on third parties and repeat them periodically.

Due diligence screens third parties for red flags to help your company avoid any association with third parties that could lead to damage. The due diligence process should also be capable of managing large numbers of third parties without taking up too much time on low-risk vendors.

Build your due diligence methodology on the results of your company’s third-party bribery risk assessment. These predefined criteria will allow you to assess individual third parties for their inherent risks. Here are the five steps in the due diligence process:

  1. Ensure all third parties are categorized with a risk rating.
  2. Get further information and documentation from the third party and business unit.
  3. Research and assess other information according to the level of assigned risk.
  4. Mitigate any identified risks.
  5. Evaluate and if everything checks out, proceed to contract.

8.    Use customized training and communications

Even if a third party checks out after your risk assessment and due diligence process, you can’t automatically assume the third party’s employees will have a good understanding of your processes and expectations. For this reason, you should provide tailored communications and training to third-party relationship managers and third-party employees that match the defined risk level.

9.    Put in place rigorous monitoring procedures to detect bribery incidents and breaches of the anti-bribery program

Your company should regularly collect new information about third parties by:

  • Requesting updated information directly from them to self-certify compliance with your anti-bribery program.
  • Exercising audit rights or using technology to automate this process.
  • Conducting renewed due diligence.

The results of this monitoring have two benefits. First, it can be used for your company’s overall public reporting about anti-bribery and corruption measures. Secondly, regular monitoring serves as a deterrent for any third parties or employees contemplating bribery.

10 . Review your third party anti-bribery and corruption program periodically

You should always strive to improve your anti-bribery program. A few ways to do this is to periodically:

  • Test risk assessment and due diligence procedures
  • Review internal controls
  • Check incident reports
  • Quiz employees and third parties on their knowledge of the program

Senior management should review these to add suggestions and improvements when necessary.

Anti-bribery and corruption is just one of the ways third-party vendors open you up to risk. They also can put your business at risk for non-compliance and cybersecurity breaches.

Creating a holistic approach to managing your third-party vendors is a big project. Luckily, there’s technology to help you do it with ease and efficiency.  As you think about your third-party risk management provider, consider Vendorpedia.

The Vendorpedia™ Cyber Risk Exchange and Third-Party Risk Management Software offers intelligence and automation to solve these challenges and provide value throughout the vendor relationship, from faster onboarding, real-time monitoring, and unprecedented vendor visibility.

Want to try it out? We’re offering an extended free trial that includes access to 10 free and completed vendor risk assessments.

Onetrust All Rights Reserved